ISO Standards and their Internal Audit (IA) requirement

Overview

One of the biggest pain points for companies preparing for an ISO 27001 stage 1 and stage 2 audit is meeting the requirement in clause 9. This clause requires that the organization conduct internal audits, to provide information on whether the ISMS both conforms to the organization’s own requirements for its ISMS  as well as conforms to the requirements of the standard (9.2.2).

In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated. It is required for the IA to be performed and completed before your stage 1 begins.

The purpose of an internal audit is to assess the effectiveness of an organization’s Information Security Management System (ISMS) and identify areas for improvement. This ensures that the organization’s ISMS is aligned with ISO 27001’s requirements and is functioning as intended.

Who is considered an independent and objective auditor?

An independent and objective auditor is someone who is not biased or influenced by personal or professional relationships or interests and who is free from conflicts of interest. The independent and objective auditor is typically not employed by the organization, is not involved with the internal day to day operations and has no personal or financial interest in the outcome of the audit.

ISO additional requirement for an auditor involves the competence aspect of the auditor.  The auditor should have the necessary knowledge, skills, and experience to conduct the audit effectively. This may include formal qualifications, such as those offered by professional auditing organizations, as well as practical experience in auditing similar organizations or activities.

Can your Trust Cloud compliance expert perform your ISO IA?

As part of your  package, you are assigned a compliance expert. This expert is available to help answer any compliance questions related to your program. Often, the nature of these questions influence how the organization designs and implements a specific requirement.

The questions vary from “how to address XYZ requirements” to ” Is the way that I am addressing XYZ requirement, valid?”. By answering these questions, your compliance expert becomes an extension of your internal compliance program and is directly involved in the design and/or enhancement of your ISO controls.

As a result, your compliance expert can not meet the independence and objectivity requirement for ISO. Using your Trust Cloud compliance expert can result in a minor or major nonconformities.

What are the solutions for Trust Cloud customers?

We’ve seen organizations hire an external consultant or external internal auditor to perform the IA audit. This can be a good option, as long as the consultant is competent and has unrestricted access to records and personnel to perform their review without issues.

If you are in search of consultants, Trust Cloud has great partners to put you in touch with.

Some organizations choose to establish an ‘Internal Audit’ function internally to help the organizations achieve their objectives by providing independent and objective assessments of their operations and identifying areas for improvement. The internal audit function conduct regular reviews and assessments of an organization’s activities, controls, and processes to identify areas for improvement and provide recommendations for enhancing the organization’s operations.